IP rule is a policy routing function of Linux systems. Compared with the classic routing algorithms used on the internet that make routing decisions based only on the destination address of packets, IP rule is more flexible which can support more filter attributes for route forwarding. IP rule can select routes by executing some set of policy routing rules and could set priorities of the rules.
Usage of IP Rule
Usage: ip rule [ list | add | del ] SELECTOR ACTION
IP rule supports configuring SELECTOR of the following attributes for choosing a forwarding path:
From - source address
To - destination address (here we can choose the rules, also used to search the routing entry)
Tos - TOS (type of sevice) field in IP header
Dev - physical interface
Fwmark - firewall parameters
IP rule supports configuring the ACTION on how to process the packets if the rule selector matches:
Table - the routing table identifier to lookup if the rule selector matches
Nat - translate the source address of the IP packet into some other value
Prohibit - drop the packets and generate a 'Communication is administratively prohibited' error
Reject - drop the packets
Unreachable - drop the packets and generate a 'Network is unreachable' error
Policy Routing Rules
Linux supports up to 255 routing tables, each routing table has its own table name and table ID. IP rule action defines tables to lookup if the rule selector matches. IP rule also defines the priority parameter which indicates the priority of this rule. Higher number means lower priority, and rules get processed in order of increasing number. Each rule should have an explicitly set unique priority value.
When executing ip rule command on Linux shell, we can find all the IP rules of the current system.
By default, the kernel configures three rules:
- Priority: 1500, Selector: match anything, Action: lookup routing table local (ID 255). The local table is a special routing table containing high priority control routes for local and broadcast addresses.
- Priority: 32766, Selector: match anything, Action: lookup routing table main (ID 254). The main table is the normal routing table containing all non-policy routes and all the management network routes.
- Priority: 32767, Selector: match anything, Action: lookup routing table default (ID 253). The default table is empty. It is reserved for some post-processing if no previous default rules selected the packet.
On the basis of the default rules, PICOS adds three new rules before the rule with priority 32766.
- Priority: 1000, Selector: match anything, Action: lookup routing table l3mdev-table. The l3mdev-table is a VRF associated routing table.
- Priority: 2000, Selector: match packets from all source to destination address of eth0_subnet, Action: lookup routing table main (ID 254). The eth0_subnet represents the subnet address of eth0 interface, for example, if the IP address of eth0 interface is 10.10.51.195, then eth0_subnet will be 10.10.51.195/24.
- Priority: 2001, Selector: match from source address of packets eth0_address, Action: lookup routing table main (ID 254). The eth0_address represents the IP address of eth0 interface, for example, 10.10.51.195.
- Priority: 2010, Selector: match anything, Action: lookup routing table 252 (ID 252, both table name and table ID are 252). The 252 table contains all the IPv4 service network routes.
Here is an example explaining how IP rule works on management network routes and service network routes.
1. Configure IP addresses for service port and eth0 management port.
#Configure the IP address for service port.
#Assign an IP address to the eth0 management port by default method of DHCP. Use ifconfig eth0 command to find the IP address of eth0.
2. Configure the next hop of 10.10.20.0/24 as the IP address of the service network segment.
Check the routing table. The above routing entry is only in 252 table and not in the main table because the next hop is the IP address of the service network segment.
3. Configure next hop of default route as IP address of the management network gateway.
The management port does not support the configuration of network segment routing, you can only configure the default route.
Check the routing table. The above routing entry is only in main table and not in 252 table because the next hop is the IP address of the management network segment.
4. Configure the next hop of default route as the IP address of the service network segment.
Check the routing table. The above routing entry is only in 252 table and not in main table because the next hop is the IP address of the service network segment.
There are default routing entries in both 252 table and main table, the default routing entry in the main table is automatically generated by the system when assigning the IP address by DHCP. When the packet matches no routing entry in the routing table, it will then match the default routing entry. In this case, the default routing entry in 252 table is used preferentially for route forwarding as the priority of 252 table is higher than the main table.
5. If the source IP address carried in a packet is empty and the packet matches no routing entry in the routing table, the default route in the 252 table and the service port is used for packet forwarding.
#For example, ping 10.10.50.22 without source IP.
# When the source address carried in a packet is the IP address of the eth0 management interface, the packet will match the IP rule: "2000: from 10.10.51.142 lookup main". For example, ping 10.10.50.22 with source IP 10.10.51.142.